diff --git a/images/kubectl-build-deploy-dind/build-deploy-docker-compose.sh b/images/kubectl-build-deploy-dind/build-deploy-docker-compose.sh
index 17956f604e..b6a8b7beb6 100755
--- a/images/kubectl-build-deploy-dind/build-deploy-docker-compose.sh
+++ b/images/kubectl-build-deploy-dind/build-deploy-docker-compose.sh
@@ -1321,6 +1321,14 @@ if [[ "${CAPABILITIES[@]}" =~ "backup.appuio.ch/v1alpha1/Schedule" ]]; then
     --set prune.retention.keepDaily=$DAILY_BACKUP_RETENTION
 fi
 
+# check for ISOLATION_NETWORK_POLICY feature flag, disabled by default
+if [ "$(featureFlag ISOLATION_NETWORK_POLICY)" = enabled ]; then
+	# add namespace isolation network policy to deployment
+	helm template isolation-network-policy /kubectl-build-deploy/helmcharts/isolation-network-policy \
+		-f /kubectl-build-deploy/values.yaml \
+		> $YAML_FOLDER/isolation-network-policy.yaml
+fi
+
 if [ "$(ls -A $YAML_FOLDER/)" ]; then
   find $YAML_FOLDER -type f -exec cat {} \;
   kubectl apply --insecure-skip-tls-verify -n ${NAMESPACE} -f $YAML_FOLDER/
diff --git a/images/kubectl-build-deploy-dind/helmcharts/isolation-network-policy/.helmignore b/images/kubectl-build-deploy-dind/helmcharts/isolation-network-policy/.helmignore
new file mode 100644
index 0000000000..0e8a0eb36f
--- /dev/null
+++ b/images/kubectl-build-deploy-dind/helmcharts/isolation-network-policy/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/images/kubectl-build-deploy-dind/helmcharts/isolation-network-policy/Chart.yaml b/images/kubectl-build-deploy-dind/helmcharts/isolation-network-policy/Chart.yaml
new file mode 100644
index 0000000000..24e59d20c3
--- /dev/null
+++ b/images/kubectl-build-deploy-dind/helmcharts/isolation-network-policy/Chart.yaml
@@ -0,0 +1,18 @@
+apiVersion: v2
+name: isolation-network-policy
+description: A Helm chart for Kubernetes creating a namespace isolation network policy.
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
diff --git a/images/kubectl-build-deploy-dind/helmcharts/isolation-network-policy/templates/_helpers.tpl b/images/kubectl-build-deploy-dind/helmcharts/isolation-network-policy/templates/_helpers.tpl
new file mode 100644
index 0000000000..0d2782f77e
--- /dev/null
+++ b/images/kubectl-build-deploy-dind/helmcharts/isolation-network-policy/templates/_helpers.tpl
@@ -0,0 +1,66 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "isolation-network-policy.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "isolation-network-policy.fullname" -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "isolation-network-policy.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "isolation-network-policy.labels" -}}
+helm.sh/chart: {{ include "isolation-network-policy.chart" . }}
+{{ include "isolation-network-policy.selectorLabels" . }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{ include "isolation-network-policy.lagoonLabels" . }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "isolation-network-policy.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "isolation-network-policy.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Lagoon Labels
+*/}}
+{{- define "isolation-network-policy.lagoonLabels" -}}
+lagoon.sh/service: {{ .Release.Name }}
+lagoon.sh/service-type: {{ .Chart.Name }}
+lagoon.sh/project: {{ .Values.project }}
+lagoon.sh/environment: {{ .Values.environment }}
+lagoon.sh/environmentType: {{ .Values.environmentType }}
+lagoon.sh/buildType: {{ .Values.buildType }}
+{{- end }}
+
+{{/*
+Lagoon Annotations
+*/}}
+{{- define "isolation-network-policy.annotations" -}}
+lagoon.sh/version: {{ .Values.lagoonVersion | quote }}
+{{- if .Values.branch }}
+lagoon.sh/branch: {{ .Values.branch | quote }}
+{{- end }}
+{{- if .Values.prNumber }}
+lagoon.sh/prNumber: {{ .Values.prNumber | quote }}
+lagoon.sh/prHeadBranch: {{ .Values.prHeadBranch | quote }}
+lagoon.sh/prBaseBranch: {{ .Values.prBaseBranch | quote }}
+{{- end }}
+{{- end }}
diff --git a/images/kubectl-build-deploy-dind/helmcharts/isolation-network-policy/templates/networkpolicy.yaml b/images/kubectl-build-deploy-dind/helmcharts/isolation-network-policy/templates/networkpolicy.yaml
new file mode 100644
index 0000000000..de28cbebd2
--- /dev/null
+++ b/images/kubectl-build-deploy-dind/helmcharts/isolation-network-policy/templates/networkpolicy.yaml
@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "isolation-network-policy.fullname" . }}
+  labels:
+    {{- include "isolation-network-policy.labels" . | nindent 4 }}
+  annotations:
+    {{- include "isolation-network-policy.annotations" . | nindent 4 }}
+spec:
+  # empty podSelector applies this policy to _all_ pods in the current
+  # namespace.
+  podSelector: {}
+  ingress:
+  - from:
+    # empty ingress podSelector means traffic from _all_ pods in the current
+    # namespace are allowed ingress.
+    - podSelector: {}
+    # allow network traffic from the ingress controller
+    - namespaceSelector:
+        matchLabels:
+          name: ingress-nginx
diff --git a/images/kubectl-build-deploy-dind/helmcharts/isolation-network-policy/values.yaml b/images/kubectl-build-deploy-dind/helmcharts/isolation-network-policy/values.yaml
new file mode 100644
index 0000000000..419dfa75bb
--- /dev/null
+++ b/images/kubectl-build-deploy-dind/helmcharts/isolation-network-policy/values.yaml
@@ -0,0 +1 @@
+nameOverride: ""